Chris Mosby's Blog

Sunday, November 28, 2004

The wife and I just got back from Thanksgiving Vacation with my folks a little bit ago, so I was checking out what I missed since Wednesday (yes, almost five days with no internet!!). Take a look at what I found on the Internet Storm Center’s diary for the 23rd…

On November 5, 2004, Chris Mosby, SMS Administrator and MyITforum Security Message Board Moderator, sent us an "Open Letter To Anti-Virus Software Companies" that we thought was interesting enough to publish:

Yesterday, we received the following response from members of the USCERT's CME (Common Malware Enumeration) initiative. While we don't have any policy about providing "equal time", we thought that their response was also interesting enough to publish:

------------------begin letter------------------

As members of US-CERT’s Common Malware Enumeration (CME) initiative, we would like to respond to Mr. Chris Mosby’s “Open Letter to the Anti-Virus Software Companies” and let Mr. Mosby and the rest of your readers know that we recognize that there are challenges surrounding the “Virus Name Game.” US-CERT and leading security vendors are working together to solve these challenges.

As you may be aware, US-CERT sponsors the Common Vulnerabilities and Exposures list (CVE), which has addressed similar challenges in the vulnerability space (http://www.us-cert.gov/cve/). By building upon the success of CVE and applying the lessons learned, US-CERT, along with industry participants mentioned below, hopes to address many of the challenges that the anti-malware community currently faces with respect to identifying malware through the CME initiative.

As a “neutral third party” in the marketplace, US-CERT will coordinate with security vendors to implement a CME malware identification scheme. Limited operational capability is expected 1Q05; this phase will concentrate on the most important threats, including the recent Beagle/Bagle variants. The role of US-CERT will be to assign a CME identifier (e.g., CME-1234567) to each new, unique threat and to include additional incident response information when available. As our experience with CVE shows, once all parties adopt a neutral, shared identification method, effective information sharing can happen faster and with more accuracy, making it easier to distinguish between very similar threats. In this manner, US-CERT believes that an effective structure can be built to improve what is currently the chaotic world of malware identification.

As mentioned both in Mr. Mosby’s letter and the response posted on November 8th, there are significant obstacles to effective malware enumeration, including the large volume of malware and the fact that deconfliction can be difficult and time-consuming. The CVE experience confirms that strong industry support and involvement is required to meet these challenges. To this end, US-CERT is working with some of the key industry players, including McAfee, Symantec, TrendMicro, and Microsoft. In addition, US-CERT plans to meet with other stakeholders to explore how they can contribute and participate. To date, all parties have shown a strong willingness to work together toward the goal of improving the malware information resources available to AV software users, first responders, and malware analysts – anyone who depends on accurate, concise information about malware. Solving the virus naming problem is a challenging process, but a goal shared across the industry.

We certainly welcome observations such as Mr. Mosby’s. From our point of view, the question is not “why should we have CME IDs” but “how do we make CME IDs work?”

Desiree Beck, CME Technical LeaderUS-CERT

Andy Purdy, Acting Director NCSDDepartment of Homeland Security

Larry Hale, Deputy Director NCSDDepartment of Homeland Security

Jimmy KuoMcAfee Fellow - McAfee, Inc.

Matthew Braverman, Program ManagerMicrosoft CorporationSecurity Business and Technology Unit – Antivirus Team

Mady Marinescu, Development LeadMicrosoft CorporationSecurity Business and Technology Unit – Antivirus Team

Randy Treit, Program ManagerMicrosoft CorporationSecurity Business and Technology Unit - Antivirus Team

Friday, November 19, 2004

Looks like Friday is virus day again. Keep and eye on your antivirus vendor's website, this has already reached Medium risk at Trend Micro and McAfee and it looks like it is spreading fast.

Sober.I Worm - MEDIUM RISK by Secunia: "The Sober worm family is proliferic in email generation and this new variant has been declared as MEDIUM RISK by Secunia, and it is reported to be spreading in the France, Germany, and Australia.

Tuesday, November 16, 2004

From The Pulse: Marvel Comics filed suit against NCSoft and Cryptic Studios concerning their creation, gaming sensation City of Heroes on November 10th. The suit alleged COH allowed "players to design characters that are virtual copies of its own superheroes, including 'The Incredible Hulk.'" Wired.com is now reporting Marvel's complaint also singled out City of Heroes' icon Statesman as "strikingly similar to Captain America" and that "... defendants have created, marketed, distributed and provided a host environment for a game that 'brings the world of comic books alive,' not by the creation of new or original characters but, instead, by directly, contributorily and vicariously infringing upon Marvel copyrights and trademarks."

Wired.com also has information from Marvel lawyers taken from the lawsuit. Wired.com reports:

"Considering that defendants own no comic characters themselves, it stands to reason that the comic books to which they refer are those that depict the characters of Marvel and others," wrote Marvel's attorneys in the complaint. "Defendants' Creation Engine facilitates and, indeed, encourages players to create and utilize heroes that are nearly identical in name, appearance and characteristics to characters belonging to Marvel."

"'Statesman,' a character strikingly similar to Marvel's Captain America (right down to the trademark large white star on his chest and shield), prominently appears on the front of the City of Heroes box and guides the user through the 'creation' process," argues Marvel's complaint. "Defendants' infringement is so brazen that their only attempt to disguise 'Statesman' is to give him a helmet that is nearly identical to the trademark helmet worn by 'Magneto,' another of Marvel's X-Men characters."

Friday, November 05, 2004

As we are all aware, it was exactly one week ago today that there was an unusual outbreak of not just one; but three globally spreading variants of the Bagle virus.

Now that the smoke has cleared, and security professionals around the world have all had time to reflect on the events of the last seven days; I wanted to write to you on behalf of your customers to let you in on a little secret that we already know.

The “Virus Name Game” has gotten out of hand. If you are unaware of what I refer to, I will attempt to explain.

Sometime during the Bagle\Netsky war of earlier this year, your virus variant names got out of synch with other anti-virus software companies. We can understand how that could have happened. There were multiple versions of those viruses coming out everyday, with virus writers trying to out do each other in some childish game of hacker supremacy; and you were dealing with the waves of malware as fast as you could. When the “virus war” slowed down with the arrest of the author of Netsky, your virus variant names stayed out of synch. Your customers were able to “deal with it” as the new viruses trickled in at their normal pace by working together as a community with resources like the Internet Storm Center, Secunia’s Virus Information page, VGrep Online, MyITforum’s Security message boards,and AntiVirus e-mail list.

This last Bagle virus outbreak reminded us all what a mess we are in. Since your respective companies have adopted an isolationist attitude and don’t usually share information with other anti-virus software companies, your customers were left with a lot of confusion as to exactly what they were dealing with.

While the new Bagle variants were spreading like wildfire, some companies acknowledged the variants existed; but had no details of what these variants did or what to look for. This did not change even after they raised the threat level of these viruses.

Others provided more detail, but did not match the threat level of other companies since the number of submissions they received from their customers were lower. Their virus variant names were different than other companies, so your customers were left in the dark.

Still other companies had only one or two of these variants listed, with various degrees of detail; and again completely different variant names than other companies, since that was all their customers had submitted to them. This left your customers in the dark again. For those of your customers that use more than one companies anti-virus product, and I know there are plenty out there; that left them with an even bigger mess than just the virus outbreak. With all of this going on your customers “dealt with it” as they usually do, working together as community. We sorted through all the information that trickled down to us, or when you felt like letting us know. As usual, we got through it, with some of us showing a few more gray hairs.

I think I can speak for everyone in the security community when I say; “dealing with it” is not acceptable anymore. As the customers that spend money for your products, we should not have to work so hard to figure out if your products are keeping us protected.We know you can do better, and we challenge you to do so. With the increasing problem of spyware, spam, and patch management, we have enough to deal with.

However things are fixed might not matter, as long as something is done before things get worse. Work together as a community of security professionals and help out your customers at the same time. With Microsoft soon to be entering the anti-virus software business, we believe it is in your best interest to figure out how to accomplish this and keep your customers better informed about how they are protected.

Thank you for your time and attention,Chris MosbySMS AdministratorMyITforum Security Message Board Moderator.

Friday, July 16, 2004

* contains its own SMTP engine to construct outgoing messages
* harvests email addresses from the victim machine
* the From: address of messages is spoofed
* attachment can be a password-protected zip file, with the password included in the message body.
* contains a remote access component (notification is sent to hacker)
* copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)
* uses various mutex names selected from those W32/Netsky variants have used, in order to prevent those W32/Netsky variants running on infected machines.